Add sops kms keys

terraform/aws/kms/main.tf

@@ -19,10 +19,47 @@ resource "aws_iam_user" "vault_user" {
     name = "vault-unseal-user"
 }
 
+resource "aws_iam_user" "sops_user" {
+    name = "sops-user"
+}
+
 resource "aws_iam_access_key" "vault_user_key" {
     user = aws_iam_user.vault_user.name
 }
 
+resource "aws_iam_access_key" "sops_user_key" {
+    user = aws_iam_user.sops_user.name
+}
+
+resource "aws_kms_key" "vault" {
+    description                 = "Hashicorp Vault auto unseal key"
+    key_usage                   = "ENCRYPT_DECRYPT"
+    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
+    deletion_window_in_days     = 30
+    is_enabled                  = true
+    multi_region                = false
+    enable_key_rotation         = false
+}
+
+resource "aws_kms_key" "sops" {
+    description                 = "SOPS operational key"
+    key_usage                   = "ENCRYPT_DECRYPT"
+    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
+    deletion_window_in_days     = 30
+    is_enabled                  = true
+    multi_region                = false
+    enable_key_rotation         = false
+}
+
+resource "aws_kms_alias" "vault" {
+    name          = "alias/hashicorp-vault-unseal"
+    target_key_id = aws_kms_key.vault.key_id
+}
+resource "aws_kms_alias" "sops" {
+    name          = "alias/sops"
+    target_key_id = aws_kms_key.vault.key_id
+}
+
 resource "aws_iam_user_policy" "vault_policy" {
     name = "vault-unseal-policy"
     user = aws_iam_user.vault_user.name
@@ -44,30 +81,48 @@ resource "aws_iam_user_policy" "vault_policy" {
     )
 }
 
-output "access_key_id" {
+resource "aws_iam_user_policy" "sops_policy" {
+    name = "sops-policy"
+    user = aws_iam_user.sops_user.name
+    policy = jsonencode(
+        {
+            Version = "2012-10-17"
+            Statement = [
+                {
+                    Effect = "Allow"
+                    Action = [
+                        "kms:Decrypt",
+                        "kms:DescribeKey",
+                        "kms:Encrypt"
+                    ]
+                    Resource = aws_kms_key.sops.arn
+                }
+            ]
+        }
+    )
+}
+
+output "vault_access_key_id" {
     value = aws_iam_access_key.vault_user_key.id
 }
 
-output "secret_access_key" {
+output "vault_secret_access_key" {
-    value = aws_iam_access_key.vault_user_key.secret
+    value = nonsensitive(aws_iam_access_key.vault_user_key.secret)
-    sensitive = true
 }
 
-output "kms_key_id" {
+output "vault_kms_key_id" {
     value = aws_kms_key.vault.key_id
 }
 
-resource "aws_kms_key" "vault" {
+output "sops_access_key_id" {
-    description                 = "Hashicorp Vault auto unseal key"
+    value = aws_iam_access_key.sops_user_key.id
-    key_usage                   = "ENCRYPT_DECRYPT"
+}
-    customer_master_key_spec    = "SYMMETRIC_DEFAULT"
+
-    deletion_window_in_days     = 30
+output "sops_secret_access_key" {
-    is_enabled                  = true
+    value = nonsensitive(aws_iam_access_key.sops_user_key.secret)
-    multi_region                = false
+}
-    enable_key_rotation         = false
+
+output "sops_kms_key_id" {
+    value = aws_kms_key.sops.key_id
 }
 
-resource "aws_kms_alias" "main" {
-    name          = "alias/hashicorp-vault-unseal"
-    target_key_id = aws_kms_key.vault.key_id
-}